inside aebrahim’s head

Senator Evan Bayh (D-IN) has been working the right side of his brain hard over the last couple of weeks. Aside from making the ludicrous claim that HRC is better poised than Obama to win a general election against McCain because the states she won count for more electoral votes, he’s been using creative math elsewhere too.

Senator Bayh, along with two others, has sponsored the China Currency Manipulation Act of 2008. If passed, this ominous sounding act is poised to coerce the Secretary of the Treasury into finding that China is manipulating their currency and that the IMF should be consulted regarding what remedies can be sought to correct or stop this evil manipulation.

On 3 April 2008, Bayh’s office shoots out a press release where he says:

American companies and workers are put at a major competitive disadvantage when China engages in massive intervention to lower the value of its currency and lower the cost of Chinese goods…This legislation will force the Treasury Department to stop turning a blind eye to Chinese attempts to gain an unfair trade advantage by undervaluing their currency.

This guy is so out of touch with reality that the mind boggles as to where his statistics come from. Let’s take a look at some hard numbers. A year ago today, one US dollar was worth 7.72 Chinese yuan. Today, the Chinese yuan is trading at around 6.98 to the US dollar. While the yuan has appreciated against the dollar by about 10%, this guy complains that China manipulates their currency to undervalue it.

His other claim is that China is working to lower the costs of Chinese exports. I work in the manufacturing industry and get information first hand about what is going on in China. There is not a shred of truth to what Bayh says, and in fact the opposite is true. Between mandating that workers are only allowed to work 5 days per week, or else receive excessive overtime pay, and requiring employers to enroll them in umpteen different types of social insurance, to cutting electricity on certain days of the week, to tightening controls on pollutants, there is nothing going on in China that reduces the cost of anything. The only price pressures are upwards and these are all artificially created by the Chinese government.

Bayh’s facts are so incredibly wrong and at odds with the truth that the only explanation is that he’s living in an alternative universe. The sad truth is that most Americans won’t know the difference and will accept as fact that China is evil and America is the only country willing to stand up to it.

I’ve moved my blog over from Movable Type to WordPress. The main problems I’ve had with Movable Type are that the comment and trackback handling is confusing and sub-par, and the theme interface is god-awful. I’ve been thinking about making the switch for more than a year but never got around to it because of the daunting task of making sure that all my old permalinks, category and date archive pages have an HTTP 301 redirect to the new WordPress pages.

The most common method for doing this seems to be to maintain the old MT install in parallel with the new WP install and have MT publish pages that have HTTP 301 redirects to the new WP pages. Another alternative is to use mod_rewrite in a .htaccess file. However this is complicated when the MT dirify directive is used because there is no systematic way to translate from the old links to new. So the only “automated” way of doing this was to maintain the old MT install and publish HTTP 301 redirects through that.

I really didn’t want to do this, and wanted to deprecate MT immediately. So I opted for the “low-tech” method of manually coding just over 200 redirects in my .htaccess file. This covered the 186 individual entries, plus the date-based and category-based archive pages.

I assume that having over 200 redirects in my .htaccess file will incur some kind of performance penalty during pageloads, but it’s not noticeable to me. The main advantage is that I can now forget that MT ever existed on my blog and Google and other search engines will transfer whatever SEO karma I had on my old links to the new ones automatically.

We’re buying some new PCs for a couple of new hires at work. We buy through Dell and for the first time we’re buying PCs sold with Windows XP preinstalled but under the Windows Vista Downgrade plan. The way it works is that the PCs have XP SP2 preinstalled but we get OEM media and OEM license keys for both XP Professional and Vista Business. This way when we want to upgrade OS we can do so without paying for a new license.

I’m guessing in another year or so this option may disappear and we’ll be stuck with Vista only. So to prepare I asked our office IT technician to call Microsoft and ask them to send us a 180-day eval copy of Windows Vista Business so that we can install and smoketest all of our office software and make sure it works.

Turns out that Microsoft stopped giving out 180-day eval copies of Vista last year. Doesn’t make a lot of sense to me. Seems like they’d want businesses to move to Vista and would want to make it easy by providing time-limited eval licenses for testing. Car dealers let you test drive the car before you purchase. Why not with an OS too?

They suggested using the Windows Vista Upgrade Advisor. Hardly a substitute for a real world test, though.

Today between 11am-12pm Hong Kong time, Pacnet’s routing tables got completely screwed up. How, I don’t know, but I was getting traceroute results like this:

C:\Documents and Settings\Ali>tracert news.bbc.co.uk

Tracing route to newswww.bbc.net.uk [212.58.226.75]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1
2 20 ms 17 ms 19 ms crsall.pacific.net.hk [202.64.10.27]
3 198 ms 242 ms 224 ms v152.tmhc1.pacific.net.hk [202.64.4.1]
4 * * * Request timed out.

C:\Documents and Settings\Ali>tracert www.ebrahim.org

Tracing route to ebrahim.org [216.92.73.127]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1
2 23 ms 20 ms 18 ms crsall.pacific.net.hk [202.64.10.27]
3 19 ms 17 ms 19 ms v152.tmhc1.pacific.net.hk [202.64.4.1]
4 * * * Request timed out.

C:\Documents and Settings\Ali>tracert blog.ebrahim.org

Tracing route to blog.ebrahim.org [66.39.91.220]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1
2 19 ms 18 ms 18 ms crsall.pacific.net.hk [202.64.10.27]
3 20 ms 20 ms 20 ms g2-1.tmhr7601.pacific.net.hk [202.64.4.150]
4 20 ms 19 ms 20 ms Gi1-7.gw1.hkg4.asianetcom.net [203.192.153.225]
5 18 ms 19 ms 23 ms gi1-0-0.cr3.hkg3.asianetcom.net [202.147.16.201]
6 78 ms 81 ms 79 ms po13-0-1.cr1.nrt1.asianetcom.net [202.147.0.61]
7 189 ms 192 ms 198 ms po1-0.gw1.sjc1.asianetcom.net [202.147.50.133]
8 206 ms 204 ms 204 ms gige-g5-10.core1.sjc2.he.net [72.52.99.5]
9 247 ms 247 ms 246 ms 10gigabitethernet1-1.core1.chi1.he.net [72.52.92.74]
10 249 ms 250 ms 251 ms a1-0-3.br1.snjsca.us.lightning.net [216.66.3.42]
11 * * * Request timed out.
12 254 ms 254 ms 253 ms blog.ebrahim.org [66.39.91.220]

Trace complete.

What's the real kicker? That blog.ebrahim.org and www.ebrahim.org are hosted on the same machine, but that I can get to one and not the other. Judging by the vague similarity between the IP addresses of www.ebrahim.org and news.bbc.co.uk (both are 21x.x.x.x, which is very vague indeed), I figure that Pacnet has their routing tables all messed up.

At around 11:30 or 11:45am I call up their support to report the problem, and am asked to send them a traceroute report. That makes sense, and I do that. I ask when I can expect a resolution and the drone on the other end tells me that since today is a Sunday, nobody at their NOC is at work, and I can expect a resolution on Monday or Tuesday, up to a full 2 days later.

That’s really appalling support, Pacnet. If you have routing issues that are blocking off entire swaths of the internet, you need to fix this yesterday, not two days later. What kind of NOC goes on holiday on a Sunday? Does the internet take a rest day too?

In case anybody at Pacnet is keeping score, my ticket number is TEC3511 and it’s now 7:15pm and it looks like nothing has been done.

Forgive the pun, but it seems that this AP writer never took AP Physics.

SEATTLE, Washington (AP) — A critical-care nurse aboard an air ambulance fought to keep from being sucked out of the cabin when a window blew out of the aircraft at 20,000 feet.

Even someone with the most elementary physics knowledge would know that you get pushed out, not sucked out. I guess that’s what happens when people learn physics from watching movies.

It reminds me of of the Insultingly Stupid Movie Physics site, which is well worth a read. Honestly, I don’t know how anybody can sit through such drivel like The Core with a straight face. Movies like Star Wars are just as bad, but hey — at least they don’t pretend to be realistic.

This site has always been hosted on pair Networks, where I host my email and other personal things which I don’t ever want to go down. In 2005 I also signed up for a Dreamhost account to host a couple of less important things. I knew Dreamhost to be less reliable than pair, but I figured that for what I was paying ($9.99/mo), I could tolerate a little bit of downtime.

Enter 2007. Dreamhost’s service seems to be getting more and more flaky. This year the following happened:

1) Mass power outages, with both primary and backup power failure
2) Complete DNS breakdown affecting all their customers, which Dreamhost classified as a “medium” severity problem

Enter May 2007. People’s sites start getting hacked into (by hackers compromising Dreamhost’s servers, not through client side hacks). Dreamhost doesn’t notify people until 6 June 2007 (!!!). I was one of the people notified of the breach, as my account had also been hacked into (and my files tampered with):

Hello -

This email is regarding a potential security concern related to your
‘XXXXXXX’ FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host - actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (”Users” section, “Manage
Users” sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc - though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,
please let us know.

- DreamHost Security Team

I dutifully changed all my passwords and fixed all the damage. Next day my account was compromised again and my files tampered with again. At this point I decided to jump ship and move all my sites to pair. I’ve totally lost confidence in Dreamhost.

A couple of other things to note:

1) Dreamhost was storing all user passwords in plaintext.
2) They had the audacity to blame users for the compromise.
3) Rather than fixing the broken FTP daemon through which accounts were compromised they have just added an option to disable plaintext FTP for user accounts.
4) They still haven’t notified me that my site was compromised a second time.
5) A lot of people I know have had their sites compromised and files changed. I’m rather sceptical of their claim that only 0.15% of their sites had files changed. Here is but a small sample.

I’m willing to tolerate some inconvenience to save a few bucks but seriously no savings is worth this kind of hassle.

So that’s it. Goodbye Dreamhost.

On 29 May 2007, Zainab and I were blessed with a beautiful daugther, Rashida Ebrahim. She was born in Westminster, UK.

I was buying RAM today for a friend, and I noticed something quirky going on at Crucial.com. When I was at his house, I noticed that the stick of RAM he needed was $67.97. When I got home I went to order it, the price had ‘dropped’ to $65.93. I figured this was just due to volatile RAM prices. I placed the order at $65.93 and didn’t think much of it.

Later on, out of curiousity I checked the prices again, and I happened to use IE for this. Price was back to up $67.97. I thought this a little odd, so I checked again in Firefox, and the price there was still showing $65.93. I checked in Opera, and prices were $67.97.

The part in question, CT522745 is a 512MB upgrade for a Dell Dimension 4500. Screenshots from Firefox and IE are below:

Are Firefox users getting a hidden discount?

UPDATE: It looks like Firefox users are not being singled out for a discount, but rather that I had a cookie set in Firefox by them (it’s been years since I ordered anything from them) and when I cleared this cookie, pricing went back to ‘normal’. False alarm, but if only I had saved the cookie…

I was browsing through Yusuf’s blog today and read in his post about enabling cheaper SSL hosting for the first time about Server Name Indication (SNI), as specified in section 3.1 of RFC3546.

Anyone who’s had to set up an TLS/SSL (let’s say secure) site knows that currently, a secure site must be hosted on a unique IP. If you need to host more than one SSL site, you need to have separate IPs for each secure site hosted. This requirement is present because pre-SNI, the server name is negotiated based on the DNS hostname only. SNI elegantly works around this requirement by adding another step to TLS negotiation. As part of the TLS handshake, the client tells the TLS server which hostname it is trying to connect to, and the hostname thus knows which certificate to present to the client. This is explained a lot more elegantly by Paul Querna.

SNI makes life better because secure hosting becomes more affordable. The cost of a secure certificate is often no longer the largest cost that secure sites must bear to be secure. One can get a certificate for $20/year. However, dedicated IPs are expensive. On a host such as Dreamhost, unique IPs cost $4.95/month. Add this up and it’s almost $60/year. If this extra cost can be eliminated a lot more businesses might be tempted to go secure, and this is a good thing for everybody.

So what’s the current state of browsers?

• Opera: Already has full support for SNI as of 8.0
• Internet Explorer: Windows Vista adds full support for SNI
• Gecko/NSS: Not yet, but bugs 116168 and 116169 have been filed.

It’s no secret that as far as end users are concerned, backend features are not as sexy as features which are exposed in the UI, but I wonder whether if SNI support is added to Gecko/NSS before IE, if Firefox will suddenly become a lot sexier to businesses who don’t have an arbitrarily large IP space but are looking to standardise on a browser, or recommend one to their clients. Hey, it’s a much better solution than forcing an upgrade to Vista.

In other news, India has caught up with Intel and AMD and is now producing dual-core “devices” locally.